On Oct 8, 2013, at 6:51 PM, Alan Clegg <a...@clegg.com> wrote: > On Oct 8, 2013, at 6:42 PM, David Newman <dnew...@networktest.com> wrote: >> >> Problem is, dig says the key is still active, and will be until 29 >> October 2013: >> >> $ dig networktest.com @localhost +multi rrsig | grep 56989 >> >> 20131029191450 20130929181450 56989 networktest.com. > > You don't provide all of the record. It's an RRSIG that is still within it's > lifetime. > > Do a dig for "DNSKEY" retype at the zone name and see what you get back.
That was "type" not "retype".
Anyway, this brings up a request that I've made that all RRSIG records be
removed if the associated DNSKEYs are removed, but at this point, it's not the
default. This taken from "man dnssec-signzone":
-R
Remove signatures from keys that no longer exist.
Normally, when a previously-signed zone is passed as input to the
signer, and a DNSKEY record has been removed and replaced with a
new one, signatures from the old key that are still within their
validity period are retained. This allows the zone to continue to
validate with cached copies of the old DNSKEY RRset. The -R forces
dnssec-signzone to remove all orphaned signatures.
I believe that this should be the default behavior (otherwise, we get double
signatures when rolling ZSKs)..
The point of doing all of the timing calculation surrounding key rollover is to
solve the problem of those cached keys, I don't think that dnssec-signzone (or
the automated signing) is doing anyone a favor.
Or there needs to be a zone (and global) specific option that allows the same
"-R" behavior during automated rollovers.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
